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Abstract 

In recent algorithms that use deformation in order to compute the 
number of points on varieties over a finite field, certain differential equa- 
I tions of matrices over p-adic fields emerge. We present a novel strategy 

to solve this kind of equations in a memory efficient way. The main ap- 
plication is an algorithm requiring quasi-cubic time and only quadratic 

■ memory in the parameter n, that solves the following problem: for E a 
' hyperelliptic curve of genus g over a finite field of extension degree n and 
, small characteristic, compute its zeta function. This improves substan- 

tially upon Kedlaya's result which has the same quasi-cubic time asymp- 
, totic, but requires also cubic memory size. 

■ AMS (MOS) Subject Classification Codes: 11G20, 11Y99, 12H25, 14F30, 
S 14G50, 14Q05. 

> 

^ . 1 Introduction and results 

H . 

^ Originally motivated by cryptography (see [4] for an overview), in recent years 

much effort was put in finding algorithms that compute zeta functions of va- 
rieties over finite fields. The most efficient algorithms often use deformation, 
i.e. they 'deform' the input variety to another variety that is easier to handle. 
This use of deformation originates from the work of Lauder |16| in computing 
zeta functions of higher dimensional varieties. In that paper, the deformation 
step allowed him to reduce the dependency on the dimension in the algorithms. 
Also Tsuzuki 17 came up with this idea in the context of the computation of 
Kloosterman sums. Later Gerkmann [9 and the present author |131I12I showed 
that even in dimension one, profit can be drawn from the use of deformation. 
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Central in all these applications stands a certain p-adic differential equation, 
namely the Picard-Fuchs equation of the associated connection. In the present 
paper we give an algorithm that allows us to compute a particular solution of 
this equation in a memory efficient way. Combining this with a well chosen 
deformation, from a general hyperelliptic curve to one defined over the prime 
field, yields our main result (Theorem [5]) , stating that for a hyperelliptic curve 
of genus g over the finite field ¥pn , p odd, the zeta function can be computed in 
time and memory (where we assume p fixed and count bit operations) 

d(n3g6-376) respectively O {n^ g'^ {log gf) . 

This result can be compared to Kedlaya's algorithm [15 that has 0{ii?g'^) as 
time and Oln^g^) as space requirements. The crucial improvement is hence that 
our algorithm only requires an amount of memory quadratic in n. Note that 
the O is the soft-Oh notation as defined in p[Hl Definition 25.8] (it is essentially 
a big-Oh notation that ignores logarithmic factors). 

Later on Denef and Vercauteren [7 extended Kedlaya's algorithm to char- 
acteristic two. Combining this with our new result yields 'on average' the same 
result as in odd characteristic, see Theorem [6] in Section |4J] The result for the 
'general case' is slightly worse. 

For any small characteristic it is also possible to compute the zeta functions 
of n curves within a one dimensional linear family all at once in time 0{tt''^'') 
for arbitrary p > 0. This result is presented in Section W?]\ and in Section 
an additional application concerning hypersurfaces is explained. We note that 
all our complexities are bitwise unless mentioned otherwise. 

Before we prove these results, we give in Section [2] a very general form of the 
algorithms involved, including a thorough investigation of the error propagation 
during the computations, all of which is concluded in Theorem [2l 

The author wishes to thank Wouter Castryck, Filip Cools, Jan Denef, Jan 
Tuitman and the referee for their helpful remarks. 

2 The differential equation 

In this section we will define the differential equation referred to above. Given 
some conditions on the coefficients and on certain local solutions of this equation, 
we can present two algorithms that solve it, together with their complexity 
analysis. 

2.1 A general kind of p-adic differential equation 

Let p be a prime number and K a degree n field extension of the field of p-adic 
numbers Qp. We denote with ord the valuation on K normalized to ord(p) = 1, 
and Ok := {a; G K | ord(x) > 0} is the ring of integers of K. Let m > be an 
integer. If we say that we are working in IK modulo p™, we mean that we use 
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absolute precision, i.e. two numbers are considered equal when their difference 
has valuation at least m. We will also use power series in F modulo for some 
integer £ > 0. The dimension of the square matrices that we will encounter is 
denoted by d. If ^(F) is a (dx d) matrix over IK[[F]] , we will always use Ai e K'^^'' 
in the following sense: A{T) = X^i^i^*, and in order to ease notation we will 
often write A instead of A(F). The valuation ord(A(F)) = ord(A) is defined to 
be infi(ord(Ai)) when this infimum exists, and — oo otherwise. We say that a 
series J^i ^i^^ with Ai E IK''^'* is {x,y)-\og convergent for real numbers x > 
and y if for every i > 



This implies in particular that such a series converges on the open unit disk in 
K. The following easy lemma can be found as Lemma 15 in [T2]. 

Lemma 1 If A^F* and converge {x,y)-log resp. {x' ,y')-log, then 

their product has {x + x' ,y + y')-log convergence. 

Let A,B,X,Y be matrices over K[F] such that Aq and Bo are invertible. 
We define A as the K-linear operator acting on IK[[F]]'*^'^ by 



2.2 Requirements for the equation 

In the proof of Theorem [2] below, we show that for every boundary condition 
Kq, a unique solution K £ K[[F]]^^'' of AK = exists. Our goal is to compute 
an approximation modulo of this unique solution K, where we assume that 
we know Kq, A, B, X and Y up to arbitrary precision, and in addition that Kq 
(and hence ^^^(F)) are invertible. Write ( for an upper bound for the following 
three values: 

degA + degB, deg^ + degX + 1, deg F + degS + 1. 

We note that ^(F) and B{T) are invertible in K[[F]]'^^'' and require that there 
exists some a € IR.>o such that 

ord(A), OTd{A-^), ord(S), ord(B"i), ord(if), ord{K-^) > -a. 

We write C for the unique solution of ^^+rC = 0, Co = 1, over K[[F]]''^'^ and 
D for the solution of ^i? + DX = 0, Dq — 1. Then we require the existence 
of constants 7 > and 6 such that 



Finally we define "0 ■= 5(a + 5) and we require that ord(X), ord(y) > —ip. 
As a last assumption we need that K(r) modulo consists of polynomials of 
degree less than £, so that our approximation will be a finite object. 



ord(A,) > -x\\og Ji + l)] -y. 




(1) 



C, C ^, D, D ^ have (7, (5)-log convergence. 



(2) 
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Note that although these conditions combined seem to be quite severe, they 
are met by a suitably adapted version of the differential equations appearing in 
the intended point counting algorithms. 



2.3 Solving the differential equation 

Due to precision loss during the execution of the algorithm, we have to work 
initially with a higher precision than . Therefore we define e := m + (57 + 
l)[logp^] + ip and we work modulo p^. Let u be an exponent for matrix multi- 
plication, meaning that we can compute the product of two dy. d matrices over 
K using ©(d") arithmetic operations in K. We may take uj — 2.376, see 0. 

Theorem 2 Suppose that we know Kq, A, Aq^ , B, B^^ , X and Y modulo p'^ 
and that all assumptions of Section \2.2\ are met. Then we can compute KiT) 
modulo p™ using O{£(^d'^nelog2p) bit operations and with memory require- 
ments O{£d'^ne\og2p) bits. Moreover, we can compute K{1) modulo p"^ in the 
same amount of time but with memory only 0{Cd^nelog2p) bits. 

Proof. We first give the algorithm, then we will determine how much precision 
is lost throughout the computations, and finally we will do a resource analysis. 

Let /C(r) and /C(f) denote the approximations of K{r) resp. /C(l) that we 
compute using the following algorithm. Define the operator A' on K[[r]]'^^'' by 

K A'K ^ A^^A^BBf^^ + A^^AKXBq^ + Aq'^YKBB^^, 

then clearly the equation AK = is equivalent to A'K = 0. Writing down the 
coefhcient of F'^ in A'K — gives an equality of the form 

{{b + l)A„^AaKh+iB,Bo^ + Ao'AaKhX.B^^ + A^'YaKhB.B^^) = 0. 

a-\-b-\-c—k 

If we isolate Kk^i, this yields 

{k + l)K,+i=fk{Kk,Kk^i,...,Kk-ic-i)) (3) 

for some easy to construct linear polynomial fk defined over K'*^'^ (where we 
put Ki = ioT i < 0). This recursion relation allows us to calculate IC{T) as 
follows: put JCi :— for i < 0, /Co :— Kq modp^ and for k = 0, 1, — 2 
compute 



fc+i •- 



modp^. (4) 



Finally we define /C(F) := Yfi=o^i^^- ^ote that equation ([3]) implies that the 
solution A'(F) of AK = exists and is unique. 
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Computing JC(1) uses the same idea, but in order to save memory we work 
as follows. Define Cq := /Co at the start, and put Ck '■= Ck-i + JCk mod each 
time that a new JCk is computed. This way we only have to store the last ^ 
matrices JCk, JCk-i, ■ ■ ■ , JCk-{Q-i) and Ck in order to find JCk+i and Ck+i- After 
£ — 1 steps we will end with Ce-i = X]i=o mod p"^ . 

Every time that we multiply non integral elements of K, we can expect a 
certain loss in p-adic precision. We will now show that working modulo 
suffices to conclude that JC{r) = K{T) modp™ and /C(l) = K{1) modp". We 
follow the reasoning of Section 3.5 in [T2], but now in a more general setting. 

With the appropriate recursion modulo (p^,r^) similar to @, but now for 
Aq^A^ + Aq^YC = and Co = 1 we can compute C, and in an analogous 
way V as approximation to D. We remark that C and V are only needed for 
the analysis, not in the actual computation. Rewriting ^ implies that 

(fc + l)JCk+i - fk {K^k,K^k-i,- ■ ■,ICk-(c-i)) = P' ■ (integral error matrix), 

and if we sum over all fc this gives A'/C = P^£k, where £k. is a matrix over 
OK[[r]]. Similarly we can find integral matrices £c and £v such that A^^A^ + 
Aq^YC = p^Ec and ^BB^^ + VXB^^ = p^Sv- Our goal is proving that the 
polynomial 

P~^{1C — K) mod has (57 + 1, ijj)-\og convergence. 

This would imply that the valuation of {JC — K) mod is at least —(57 + 
l)[logpf] —■)/' + £ = 'Ti, and hence the computed JC agrees with the actual so- 
lution K modulo (p™,r^). Moreover, as K modp™ has degree less than we 
even have JC = K modp™, as required. It is easy to see that this also implies 
that Ci-i = K{1) modp™. 

We follow the proofs of Lemma 17 and 19 of [12]. Let L be a matrix such 
that p^LD = V - D. This gives 

f£v = f^^BB^^ + iV- D)XB,' = P'^^BBo\ 
or dL/dV = E-pBqB^^ D^^ . We note that Lq — and integrate to find 
p-%V - D) = LD = (^j £vB^B-^D-^dT^ D. 

By Lemma [T]we see that £t>BoB^^D^^ has (7, 2a + (5)-log convergence, and as 
integrating is not worse than adding 1 to the logarithmic factor, we find that 
p~^{T> — D) has (27 + 1, 2(a -|-(5)-log convergence. Working similarly we find the 



^Gerkmann |8] independently has found a similar control of the error propagation. 
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same for p~'^ {C — C). Note that this imphes that C and X>, which are polynomials 
of degree less than ^, are both (7,5)-log convergent. 
From the calculation 

A(CKaD) = A^KaDB + ACKq^B + ACK^DX + YCKaDB = 
dT oT 

we conclude that K = CKqD. Choose L' such that p^CL'KqD = K, - CICqV, 
then 

cW 

p-%A']C - A'iCICoV)) = A^'AC—KoDBB-\ 
Note that again L'q — 0, so that if we isolate and integrate, we find 

L' = p-^^ J C-^A-^Ao{A'JC - A'{CJCoV))BoB-^D-^K^^dT. 

We know that A'JC — p'^Ejc and verify that 

A'iCICoV) = p'iSclCoVBBa^ + A^^ACICoSv)- 
This gives that p~^(/C — CJCo'D) equals 



C 



J C-^A-^ (AqSkBo - AqEcK^oVB - ACJCoEdBq) B-^D-^dV 



D, 



and hence has (67 + 1, 5(a + d))-\og convergence. We conclude from 

p-'{IC -K)^ p-'ilC - CJCoV) +p-'{C - C)JCqV + p-'CICoiV - D) 
that p^^{K, — K) has (57 + 1, 5(a + 5)) = (57 + 1, ^)-\og convergence. 

In order to prove the theorem we need to bound the time and memory 
requirements of the algorithm. We will assume fast arithmetic, see e.g. [T], which 
means that all basic ring operations in K can be performed in time essentially 
linear and memory linear in the object size. All elements of K that appear in 
the algorithm have valuation no less than — e, hence modulo all elements have 
bit size 0{ne\og2p)- Computing with these numbers requires then O{ne\og2p) 
bit operations. 

If we use (UJ literally, each computation of some JCk requires ©(C^) matrix 
multiplications. However, the right hand side of @ is essentially the coefficient 
of r*^ in a sum of three products of (matrix) polynomials of degree 0(C), and — 
using fast multiplication methods for polynomials over arbitrary algebras, see 
[S] or [5] — can thus be computed using only ©(C) matrix multiplications. As 
we need K{T) mod this gives in total a time requirement of 0{£(d'^ne log2 p) 
for both algorithms. Moreover, the size of K{r) determines the memory re- 
quirements for the first algorithm, hence we need 0{£d^nelog2p) bits of space. 
For the second algorithm only 0{C) matrices over K have to be kept in memory, 
and this gives 0{Cd^ne\og2p) space. ■ 
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Note 3 Let 7' G Ok, then it is in a similar way possible to compute K{'y') 
modulo with the same time and space requirements as for K{1) in the 
theorem. 

Corollary 4 Let 71, ... ,7^ G Ok be given with accuracy m' := m + a, then 
with the same assumptions as in Theorem [5| we can compute all matrices 
K{'~fi), . . . , K{j£) modp™ in 0{£(d'^n£ log2 p) bit operations and 0{ld^n£ log2 p) 
bits of memory. 

Proof. We will use fast multipoint evaluation. Let f{x) be a polynomial 
of degree less than I over a ring R. In Section 10.1 of [IB] is explained how 
to evaluate f(x) in I elements of R at once in such a way that it requires 
only 0{t) arithmetic operations in R. Hence, taking R = Ok we can compute 
/(71), . . . , /(7£) modulo in time 0{£nm' \0g2p) and space O {£nm' \og2 p) . 

We use Theorem [2] to compute K(r) modulo p™. As K{r) need not be 
integral, we work with p"K{T) mod p™ , a matrix polynomial over Ok of degree 
less than i. Now we can use the above result to find p"K{'-fi), . . . ,p°'K{'j£) 
modulo p™' in time 0{d^inm' \0g2p) and space 0{d^tnm' \0g2p). Taking the 
maximum of this result (note that m' < e) and the complexities of Theorem [2] 
concludes the proof. ■ 



3 Hyperelliptic curves in odd characteristic 

In this section we will use some results from our paper [13' about the application 
of deformation in point counting. Let p be an odd prime and suppose we are 
given a hyperelliptic curve Ei over Fpn of genus g in Weierstrass form 

2/' = Qi (x) = x^a+^ + J2 0*2:^ G Fp. [x] , 

i=0 

where Qi is squarefree. The purpose of this section is to compute the zeta 
function of this curve in a memory efficient way, using Theorem [2j The basic 
idea is to deform this equation to one defined over Fp, which will give us a 
differential equation of the kind considered in the previous section. In jl3j this 
was done by taking a family — Q{x, F) over Fp or a small extension field 
and substituting some 7 G Fpn for F. This method however does not allow 
us to compute the zeta function of a general hyperelliptic curve over Fpn. In 
this paper we let Q{x,T) be defined over Fp^ and we then specialize to F = 1. 
Combining this with Theorem [5] yields our memory eflticient algorithm. We 
assume p to be fixed in all complexity estimates of this section. 
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3.1 Overview of the deformation theory 

Let Qo{x) — + J2'i=o ^i-''^ ^ ^p[x] define a hyperelliptic curve Eg of genus 

for example Qo{x) := x^^"*"^ + 1 if p f 2(7 + 1 and (5o(a:) := x^^"*"^ +x otherwise. 
We write Qpn for the unique unramified degree n extension of Qp, a denotes the 
pth power Frobenius automorphism on Qpn and Zpn is the ring of integers of 
Qpn . We recah that the TeichmiiUer lift 7 S Zp^ of 7 € ¥pn is the unique root 
of unity that reduces to 7 modulo p. Further on we will also need to extend 
a with cr(r) :— F^; the projection Zpn Fpn is always denoted with ~ and an 
algebraic closure of a field k is denoted as fc^^'^ci^ 

Let ai € Zpre and bi G Zp be (arbitrary) lifts of the coefficients di and bi, 
which gives us also lifts Qi and Qo of Qi resp. Qo — monic polynomials of 
degree 2g + 1. We define the polynomial 

23 

Qix, F) := + J2 - b^)r + b^] x\ 

1=0 

which gives a hyperelliptic curve E^ ^ = Q{x,j) for almost all 7 G FpL^'^', 
and makes our notation consistent regarding Ei and Eq: 

El ^ ^Q{x,l)^Qi{x) and y' = Q{x,0) ^ Qo{x). 

We now give a short overview of the theory in [T3]. Let r(F) be the resultant 

r(F) :=Res, (^Q{x,r); -^Q{x,r)^ , 

then it is clear from the construction of Q{x,r) that r{0) and r(l) are units 
in Zprz and p := degr(F) < Ag. Suppose r(F) = J2i=o'''i^^^ ^i^h p' the degree 
of f(F) we define f(F) Eflo^^r'. We defined in Sections 3.2 and 3.3 of 
|13] a ring S and an S'-module T, which can be represented as (where f means 
overconvergent completion) : 



S:^Qp. [F,f(F)-l]^ 



-nt 



^ Qp. [x,y,y-\T,fiT)-\ 
{y^~Q{x,T)) 

Let d : T ^ Tdx be the differential -S-dx and V : T — ?> TdF the connection 

ox 

^dF such that d{T) = V(a;) = 0. Then we showed that a certain submodule 
^MW Tdx/d{T) is a free S'-module of rank 2g, which, after substituting 
for F any TeichmiiUer lift 7 € Qp. which is no zero modulo p of r(F), gives 
the same 2g'-dimensional Qp. -vector space as Kedlaya's A'^ (g) Qp., defined in 
Section 3 of US] . We also constructed a Frobenius map Fp on H^j-^ which after 
the specialization F 7 again equals Kedlaya's. The following diagram is well 
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defined and commutes: 



^F, (5) 

We have the S'-basis {^^}^£o^ for H]^-^ and can hence define {2g x 2g)- 
matrices over S for our operators, namely G{T) for V and -F'(r) for Fp, e.g. 
Fp{x'-dx/y/Q) — Fij{T)x^ dx/ y/Q. As Kedlaya showed in [TS], the main 
step in computing the zeta function of Ei is to compute F(\) up to a certain 
precision. 

Let H{T) r{V)G{T), then the equation, derived from ([5]), at the end of 
Section 3.6 in 13i reads 

dF 

rr" — + r" FH - pTP-^rH'^ F = 0. 

Here we use and H'^ for r^iVP) respectively H^iTP). Substituting K := F 
for some integer M > that is made more precise below, this becomes 

dK dr 
r"^r + r''K{H - M— ) + {-pTP-^ H'')Kr = 0, 



which is of the form AK = explained in Section 12.11 above, with d — 2g, 

^ dr 

dr 



A^r'',B^r, X = H- Af |f and Y = -pTP-^H° 



3.2 Computing the zeta function 

We will now determine the constants i, C, m and e in order to apply Theorem 
[21 From Proposition 16 and Lemma 18 in [T3| it follows that with a := {2g — 
l)(fogp5 + 2) + .g = 0{glogg) we have 

ord(F) = ord(X) > -a and ord{F-^) ^ ord(X"i) > -a. 

Proposition 17 of [13^ (with k := degp Q{x,T) — 1) shows that degH < 8g and 
as a consequence we can take 

C ma.x{{p+l)p,pp + 8g + l,p + 8pg + p} = 0{g). 

We note in passing that this Proposition 17 also implies that ord{H) > -j^rf 
and hence the conditions ord(X), ord(F) > —ip at the end of Section will be 
met. 

We need F{1) modulo p™ with m defined as Ni, in Section 4 of [TSl, namely 
(with a = 1) 

+ n [\ogp{g) + 2\ + [2gn{\ogpg + 3)\ = O [ng log g). 



l)fogp2 
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The exponent M :— p(2m + 4) + (p— 1)/2 = O{ng\ogg) of r{T) and the precision 
£ are given by Proposition 16 in [13) : 

e := (2m + 5)(8g + 2)p+ 1 = ©(ng^iogg). 

Next we need 7 and 6 such that ([2]) holds. For the solution C of + YC = 
we can find this in Proposition 20 of (13j : the matrix C in that proposition does 
not correspond to C in this paper, but the result and proof are completely the 
same. The conclusion is that 

C and C^^ have {2g log^ g + g, 0)-log convergence. 

We have that K = CKqD, and as a consequence D = K^^C'^^K and = 
K~^CKq have {2g\ogpg + 2a)-log convergence. Hence we can take 7 := 
2glogp g + g = 0{g log 5) and 5 := 2a. Now with i/j = 2a + 56 — 12a we find 

e = m+ (57+ l)riogp£l + V = O(n5(log5)2). 

The analysis in [13], namely Steps 1, 2 and 5 of Section 6.3, shows that the 
time and space requirements for computing r, H and Kq will not have any 
influence on the result, and as a consequence we can apply Theorem [2] to find 
K{1) mod p™ in time 

diiCg'^ne) = d{g^+'^n^) 
and with memory requirements 

0(Cff'ne) = 0(/(log.g)V). (6) 

To conclude the algorithm we still need to approximate the matrix of . 
First we compute F{1) = r{l)~-'^ K{1) and then 

J- = i^(l)'"""' • ^^(1)"""' • • • ^^(1)" • F{1), 

which can be certainly done in time 0{g^n^ + g^+'^n^) and memory 0{n^g^) 
as explained in [15] (see however Section 14.21 for a much faster method) . The 
numerator of the zeta function equals det(l — J^t) and can be found in time 
0{g'^^^'n?). These last complexities can all be found in Step 8 of Section 6.3 of 
[13] ■ where the memory requirements are bounded by ([6]). This results in the 
following theorem. 

Theorem 5 There exists an explicit and deterministic algorithm to compute 
the zeta function of any hyperelliptic curve of genus g over Fpn , with p odd, 
that uses 0{n^g'^^'^) bit operations and bit space O {n'^g'^ {log g)"^). 
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4 Additional applications 



4.1 Hyperelliptic curves in even characteristic 

By an argument similar to the one explained in the previous section, we can 
prove the following result. 

Theorem 6 There exists an explicit and deterministic algorithm that com- 
putes the zeta function of any hyperelliptic curve of genus g over ¥2^ using 
^(n^g^+'^+Sr-) operations and 0{n'^g^+'' {log g)'^+'') bits of memory Here 
T = for almost all curves and t = 1 in the general case. 

In order to show this, one uses the results from |12) . in turn partly inspired by 
Denef and Vercauteren's article ff]. We want to point out that r in the theorem 
above will be precisely when all mi are equal to 1 (or are bounded by 0(1)) 
in the notation of the beginning of Section 4 of [7 . More details can be found 
in Section 5.3 of [lO] . 

4.2 Many curves at once 

If we choose a family defined over Fpn as in Section 13.11 (or in an analogous 
way in characteristic 2), e.g. given by Er : = Q{x,T), and 7i,...,7g2„ G 
¥pn , we can compute the zeta functions of the curves E^. all at once in a 
very efhcient way. There are three main steps needed in order to achieve this. 
First, computing the Teichmiiller lifts of all 7i modulo p'^ can be done in time 
0{g'^n{ney~^P)orO{{n^ g^Y~^P) for any p > as shown in [11] Proposition 6]. 
Second, we compute all the matrices of the pth power Frobenius using Corollary 
[4] above in time 0{n^g^^'^). And third, in order to retrieve the matrices of 
the qth power Frobenius and hence the zeta functions, we can use Kedlaya's 
trick [iSl Section 5] combined with Proposition 3 of |Tl], resulting in a time 
complexity bounded by 0((g'^n){n'^g^^'^y'^P). Noting that all these algorithms 
are deterministic we conclude with the following theorem: 

Theorem 7 Suppose we are given a family Er ■ = Q{x,T) over Fp^ and 
7i,...,7g2„ e Fp" such that Eq is defined over Fp and all Ej. and Eq are 
hyperelliptic curves of genus g. Choose p > 0. There exists an explicit and 
deterministic algorithm that computes the zeta functions of all curves E^. that 
requires C'(n^+''g^+") bit operations. 

In an obvious way a similar algorithm can be shown to exist for characteristic 
2. 

This result could be interesting if one wants to find a curve with a special 
property, as is the case in cryptography. For example, suppose that we want to 
find a curve over Fp^ with TV as order of its jacobian, such that N has a very 
large prime factor. Then we can expect that we have to try 0{n) curves in order 



11 



to find such a curve, and this is exactly something we can do very efficiently as 
explained above. 

In [3] deformation is used for the computation of the zeta function of Ca.b 
curves, and as explained in Section 5.4 of that paper similar results as above 
apply. 

4.3 Hypersurfaces 

Finally we can also use our memory efficient algorithm for solving differential 
equations in the context of hypersurfaces. For example, Lauder gives in jl6j an 
algorithm that computes the zeta function of certain hypersurfaces satisfying 
an 'almost diagonal' equation over Fpn . As he uses deformation as the main 
step in this result, the memory requirements drop from cubic to quadratic in n 
using the result in this paper. Gerkmann discusses in [5] several deformation 
strategies for smooth projective surfaces, and an important step in there is again 
solving such a differential equation. Although the improvements depend on the 
type of algorithm considered, most algorithms presented in [5] will profit from 
Theorems [2] and [7l 
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